From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Thu, 18 Feb 2016 18:55:54 +0000 (+0000)
Subject: sunrpc/cache: fix off-by-one in qword_get()
X-Git-Tag: v4.1.12-92~150^2~160
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a22cd61a29bbcfac02f58def1d588049d599f87e;p=users%2Fjedix%2Flinux-maple.git

sunrpc/cache: fix off-by-one in qword_get()

Orabug: 23330967

[ Upstream commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 ]

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
      ...
      while (len < bufsize) {
          ...
          *dest++ = (h << 4) | l;
          len++;
      }
      ...
      *dest = '\0';
      return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 4ba9f8051f7fc263cc5915fd6c2ac6d9195418b4)

Signed-off-by: Dan Duval <dan.duval@oracle.com>
---

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 2928afffbb81f..8d79e70bd9786 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1218,7 +1218,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
 	if (bp[0] == '\\' && bp[1] == 'x') {
 		/* HEX STRING */
 		bp += 2;
-		while (len < bufsize) {
+		while (len < bufsize - 1) {
 			int h, l;
 
 			h = hex_to_bin(bp[0]);